COMPOSER_ROOT="$ARVBOX_DATA/composer"
fi
+if test -z "$WORKBENCH2_ROOT" ; then
+ WORKBENCH2_ROOT="$ARVBOX_DATA/workbench2"
+fi
+
PG_DATA="$ARVBOX_DATA/postgres"
VAR_DATA="$ARVBOX_DATA/var"
PASSENGER="$ARVBOX_DATA/passenger"
LOGPID=$!
while read line ; do
echo $line
- if echo $line | grep "Workbench is running at" >/dev/null ; then
+ if echo $line | grep "Workbench2 is running at" >/dev/null ; then
kill $LOGPID
fi
done < $FF
echo $localip > $iptemp
chmod og+r $iptemp
PUBLIC="--volume=$iptemp:/var/run/localip_override
- --publish=80:80
+ --publish=443:443
+ --publish=3001:3001
--publish=8000:8000
--publish=8900:8900
--publish=9001:9001
if ! test -d "$COMPOSER_ROOT" ; then
git clone https://github.com/curoverse/composer.git "$COMPOSER_ROOT"
fi
+ if ! test -d "$WORKBENCH2_ROOT" ; then
+ git clone https://github.com/curoverse/arvados-workbench2.git "$WORKBENCH2_ROOT"
+ fi
if test "$CONFIG" = test ; then
"--volume=$ARVADOS_ROOT:/usr/src/arvados:rw" \
"--volume=$SSO_ROOT:/usr/src/sso:rw" \
"--volume=$COMPOSER_ROOT:/usr/src/composer:rw" \
+ "--volume=$WORKBENCH2_ROOT:/usr/src/workbench2:rw" \
"--volume=$PG_DATA:/var/lib/postgresql:rw" \
"--volume=$VAR_DATA:/var/lib/arvados:rw" \
"--volume=$PASSENGER:/var/lib/passenger:rw" \
"--volume=$ARVADOS_ROOT:/usr/src/arvados:rw" \
"--volume=$SSO_ROOT:/usr/src/sso:rw" \
"--volume=$COMPOSER_ROOT:/usr/src/composer:rw" \
+ "--volume=$WORKBENCH2_ROOT:/usr/src/workbench2:rw" \
"--volume=$PG_DATA:/var/lib/postgresql:rw" \
"--volume=$VAR_DATA:/var/lib/arvados:rw" \
"--volume=$PASSENGER:/var/lib/passenger:rw" \
updateconf
wait_for_arvbox
echo "The Arvados source code is checked out at: $ARVADOS_ROOT"
+ echo "The Arvados testing root certificate is $VAR_DATA/root-cert.pem"
else
echo "Unknown configuration '$CONFIG'"
fi
fi
management_token=$(cat /var/lib/arvados/management_token)
-# self signed key will be created by SSO server script.
-test -s /var/lib/arvados/self-signed.key
-
sso_app_secret=$(cat /var/lib/arvados/sso_app_secret)
if test -s /var/lib/arvados/vm-uuid ; then
sso_app_secret: $sso_app_secret
sso_app_id: arvados-server
sso_provider_url: "https://$localip:${services[sso]}"
- sso_insecure: true
- workbench_address: "http://$localip/"
- websocket_address: "ws://$localip:${services[websockets]}/websocket"
+ sso_insecure: false
+ workbench_address: "https://$localip/"
+ websocket_address: "wss://$localip:${services[websockets-ssl]}/websocket"
git_repo_ssh_base: "git@$localip:"
git_repo_https_base: "http://$localip:${services[arv-git-httpd]}/"
new_users_are_active: true
auto_setup_new_users_with_repository: true
default_collection_replication: 1
docker_image_formats: ["v2"]
- keep_web_service_url: http://$localip:${services[keep-web]}/
+ keep_web_service_url: https://$localip:${services[keep-web-ssl]}/
ManagementToken: $management_token
EOF
declare -A services
services=(
- [workbench]=80
+ [workbench]=443
+ [workbench2]=3000
+ [workbench2-ssl]=3001
[api]=8004
[controller]=8003
[controller-ssl]=8000
[sso]=8900
[composer]=4200
[arv-git-httpd]=9001
- [keep-web]=9002
+ [keep-web]=9003
+ [keep-web-ssl]=9002
[keepproxy]=25100
[keepstore0]=25107
[keepstore1]=25108
[ssh]=22
[doc]=8001
- [websockets]=8002
+ [websockets]=8005
+ [websockets-ssl]=8002
)
if test "$(id arvbox -u 2>/dev/null)" = 0 ; then
--- /dev/null
+/usr/local/lib/arvbox/logger
\ No newline at end of file
--- /dev/null
+#!/bin/bash
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: AGPL-3.0
+
+exec 2>&1
+set -ex -o pipefail
+
+. /usr/local/lib/arvbox/common.sh
+
+if test ! -s /var/lib/arvados/root-cert.pem ; then
+ # req signing request sub-command
+ # -new new certificate request
+ # -nodes "no des" don't encrypt key
+ # -sha256 include sha256 fingerprint
+ # -x509 generate self-signed certificate
+ # -subj certificate subject
+ # -reqexts certificate request extension for subjectAltName
+ # -extensions certificate request extension for subjectAltName
+ # -config certificate generation configuration plus subjectAltName
+ # -out certificate output
+ # -keyout private key output
+ # -days certificate lifetime
+ openssl req \
+ -new \
+ -nodes \
+ -sha256 \
+ -x509 \
+ -subj "/C=US/ST=MA/O=Arvados testing/OU=arvbox/CN=arvbox testing root CA for ${uuid_prefix}" \
+ -extensions x509_ext \
+ -config <(cat /etc/ssl/openssl.cnf \
+ <(printf "\n[x509_ext]\nbasicConstraints=critical,CA:true,pathlen:0\nkeyUsage=critical,keyCertSign,cRLSign")) \
+ -out /var/lib/arvados/root-cert.pem \
+ -keyout /var/lib/arvados/root-cert.key \
+ -days 365
+ chown arvbox:arvbox /var/lib/arvados/root-cert.*
+fi
+
+if test ! -s /var/lib/arvados/server-cert-${localip}.pem ; then
+ # req signing request sub-command
+ # -new new certificate request
+ # -nodes "no des" don't encrypt key
+ # -sha256 include sha256 fingerprint
+ # -subj certificate subject
+ # -reqexts certificate request extension for subjectAltName
+ # -extensions certificate request extension for subjectAltName
+ # -config certificate generation configuration plus subjectAltName
+ # -out certificate output
+ # -keyout private key output
+ # -days certificate lifetime
+ openssl req \
+ -new \
+ -nodes \
+ -sha256 \
+ -subj "/C=US/ST=MA/O=Arvados testing for ${uuid_prefix}/OU=arvbox/CN=localhost" \
+ -reqexts x509_ext \
+ -extensions x509_ext \
+ -config <(cat /etc/ssl/openssl.cnf \
+ <(printf "\n[x509_ext]\nkeyUsage=critical,digitalSignature,keyEncipherment\nsubjectAltName=DNS:localhost,IP:$localip")) \
+ -out /var/lib/arvados/server-cert-${localip}.csr \
+ -keyout /var/lib/arvados/server-cert-${localip}.key \
+ -days 365
+
+ openssl x509 \
+ -req \
+ -in /var/lib/arvados/server-cert-${localip}.csr \
+ -CA /var/lib/arvados/root-cert.pem \
+ -CAkey /var/lib/arvados/root-cert.key \
+ -out /var/lib/arvados/server-cert-${localip}.pem \
+ -set_serial $RANDOM$RANDOM \
+ -extfile <(cat /etc/ssl/openssl.cnf \
+ <(printf "\n[x509_ext]\nkeyUsage=critical,digitalSignature,keyEncipherment\nsubjectAltName=DNS:localhost,IP:$localip")) \
+ -extensions x509_ext
+
+ chown arvbox:arvbox /var/lib/arvados/server-cert-${localip}.*
+fi
+
+cp /var/lib/arvados/root-cert.pem /usr/local/share/ca-certificates/arvados-testing-cert.crt
+update-ca-certificates
+
+sv stop certificate
\ No newline at end of file
set -e
-/usr/local/lib/arvbox/runsu.sh $0-service $1
+exec /usr/local/lib/arvbox/runsu.sh $0-service $1
gitolite_tmp: /var/lib/arvados/git
arvados_api_host: $localip:${services[controller-ssl]}
arvados_api_token: "$ARVADOS_API_TOKEN"
- arvados_api_host_insecure: true
+ arvados_api_host_insecure: false
gitolite_arvados_git_user_key: "$git_user_key"
EOF
server {
listen *:${services[controller-ssl]} ssl default_server;
server_name controller;
- ssl_certificate "/var/lib/arvados/self-signed.pem";
- ssl_certificate_key "/var/lib/arvados/self-signed.key";
+ ssl_certificate "/var/lib/arvados/server-cert-${localip}.pem";
+ ssl_certificate_key "/var/lib/arvados/server-cert-${localip}.key";
location / {
proxy_pass http://controller;
proxy_set_header Host \$http_host;
proxy_redirect off;
}
}
+
+upstream arvados-ws {
+ server localhost:${services[websockets]};
+}
+server {
+ listen *:${services[websockets-ssl]} ssl default_server;
+ server_name websockets;
+
+ proxy_connect_timeout 90s;
+ proxy_read_timeout 300s;
+
+ ssl on;
+ ssl_certificate "/var/lib/arvados/server-cert-${localip}.pem";
+ ssl_certificate_key "/var/lib/arvados/server-cert-${localip}.key";
+
+ location / {
+ proxy_pass http://arvados-ws;
+ proxy_set_header Upgrade \$http_upgrade;
+ proxy_set_header Connection "upgrade";
+ proxy_set_header Host \$http_host;
+ proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+ }
+}
+
+ upstream workbench2 {
+ server localhost:${services[workbench2]};
+ }
+ server {
+ listen *:${services[workbench2-ssl]} ssl default_server;
+ server_name workbench2;
+ ssl_certificate "/var/lib/arvados/server-cert-${localip}.pem";
+ ssl_certificate_key "/var/lib/arvados/server-cert-${localip}.key";
+ location / {
+ proxy_pass http://workbench2;
+ proxy_set_header Host \$http_host;
+ proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto https;
+ proxy_redirect off;
+ }
+ location /sockjs-node {
+ proxy_pass http://workbench2;
+ proxy_set_header Upgrade \$http_upgrade;
+ proxy_set_header Connection "upgrade";
+ proxy_set_header Host \$http_host;
+ proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+ }
+ }
+
+ upstream keep-web {
+ server localhost:${services[keep-web]};
+ }
+ server {
+ listen *:${services[keep-web-ssl]} ssl default_server;
+ server_name keep-web;
+ ssl_certificate "/var/lib/arvados/server-cert-${localip}.pem";
+ ssl_certificate_key "/var/lib/arvados/server-cert-${localip}.key";
+ location / {
+ proxy_pass http://keep-web;
+ proxy_set_header Host \$http_host;
+ proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto https;
+ proxy_redirect off;
+ }
+ }
+
}
EOF
echo
echo "Your Arvados-in-a-box is ready!"
-echo "Workbench is running at http://$localip"
+echo "Workbench is running at https://$localip"
+echo "Workbench2 is running at https://$localip:${services[workbench2-ssl]}"
rm -r /tmp/arvbox-ready
fi
secret_token=$(cat /var/lib/arvados/sso_secret_token)
-if ! test -s /var/lib/arvados/self-signed.key ; then
- openssl req -new -x509 -nodes -out /var/lib/arvados/self-signed.pem -keyout /var/lib/arvados/self-signed.key -days 365 -subj '/CN=localhost'
-fi
+test -s /var/lib/arvados/server-cert-${localip}.pem
cat >config/application.yml <<EOF
$RAILS_ENV:
fi
exec bundle exec passenger start --port=${services[sso]} \
- --ssl --ssl-certificate=/var/lib/arvados/self-signed.pem \
- --ssl-certificate-key=/var/lib/arvados/self-signed.key
+ --ssl --ssl-certificate=/var/lib/arvados/server-cert-${localip}.pem \
+ --ssl-certificate-key=/var/lib/arvados/server-cert-${localip}.key
cat >/var/lib/arvados/arvados-ws.yml <<EOF
Client:
APIHost: $localip:${services[controller-ssl]}
- Insecure: true
+ Insecure: false
Postgres:
dbname: arvados_$RAILS_ENV
user: arvados
password: $database_pw
host: localhost
-Listen: :8002
+Listen: localhost:${services[websockets]}
EOF
exec /usr/local/bin/arvados-ws -config /var/lib/arvados/arvados-ws.yml
if test "$1" != "--only-deps" ; then
exec bundle exec passenger start --port=${services[workbench]} \
+ --ssl --ssl-certificate=/var/lib/arvados/server-cert-${localip}.pem \
+ --ssl-certificate-key=/var/lib/arvados/server-cert-${localip}.key \
--user arvbox
fi
fi
secret_token=$(cat /var/lib/arvados/workbench_secret_token)
-if ! test -s self-signed.key ; then
- openssl req -new -x509 -nodes -out self-signed.pem -keyout self-signed.key -days 365 -subj '/CN=localhost'
-fi
-
cat >config/application.yml <<EOF
$RAILS_ENV:
secret_token: $secret_token
arvados_login_base: https://$localip:${services[controller-ssl]}/login
arvados_v1_base: https://$localip:${services[controller-ssl]}/arvados/v1
- arvados_insecure_https: true
- keep_web_download_url: http://$localip:${services[keep-web]}/c=%{uuid_or_pdh}
- keep_web_url: http://$localip:${services[keep-web]}/c=%{uuid_or_pdh}
+ arvados_insecure_https: false
+ keep_web_download_url: https://$localip:${services[keep-web-ssl]}/c=%{uuid_or_pdh}
+ keep_web_url: https://$localip:${services[keep-web-ssl]}/c=%{uuid_or_pdh}
arvados_docsite: http://$localip:${services[doc]}/
force_ssl: false
composer_url: http://$localip:${services[composer]}
--- /dev/null
+/usr/local/lib/arvbox/logger
\ No newline at end of file
--- /dev/null
+#!/bin/sh
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: AGPL-3.0
+
+set -e
+
+exec /usr/local/lib/arvbox/runsu.sh $0-service $1
--- /dev/null
+#!/bin/bash
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: AGPL-3.0
+
+exec 2>&1
+set -ex -o pipefail
+
+. /usr/local/lib/arvbox/common.sh
+
+cd /usr/src/workbench2
+
+npm -d install --prefix /usr/local --global yarn
+
+yarn install
+
+if test "$1" = "--only-deps" ; then
+ exit
+fi
+
+cat <<EOF > /usr/src/workbench2/public/config.json
+{
+ "API_HOST": "${localip}:${services[controller-ssl]}",
+ "VOCABULARY_URL": "vocabulary-example.json",
+ "FILE_VIEWERS_CONFIG_URL": "file-viewers-example.json"
+}
+EOF
+
+export HTTPS=false
+# Can't use "yarn start", need to run the dev server script
+# directly so that the TERM signal from "sv restart" gets to the
+# right process.
+exec node node_modules/react-scripts-ts/scripts/start.js
projects / arvados.git / commitdiff